> > although it's definitely better than CURTAIN or abusing KAUTH_PROCESS_CANSEE,
> > i'm not sure if it's a good idea.
> 
> I'm thinking we need a generic way of checking if object with 'cred1'
> can access object with 'cred2'.
> 
> Alternatively, we could have these cases in their respective (to-be)
> scopes -- either fileop, vnode, network, whatever.
> 
> What do you think?

i think the latter is better.

> > i'm not even sure if abusing fp->f_cred here is a good idea.
> 
> Is there a choice?

in this particular case, it depends on the definition of "curtain" things,
which i'm not aware of.

however, in the POV of kauth framework, i think it's better for
listeners to take an object itself, rather than a credential
associated to it.

> > IMO, performing I/O and "cansee" are very different.
> 
> Maybe add a KAUTH_PROCESS_IOPERM?

maybe.

YAMAMOTO Takashi